Data at Rest Made Easy

Securing Data at Rest (DAR) is a core issue for both US industry and government. What most people do not realize is that there are great tools available for laptop/desktop DAR security as well as for enterprise, data center, and cloud DAR security. In the early 2000s, the National Security Agency worked with the global data storage industry including companies such as Micron, Western Digital, Seagate and others to define a standard for securing DAR via hard disk drives (HDD) and solid state drives (SSD) and other storage devices. These devices are referred to as Self Encrypting Drives (SED). Variants of SEDs have been developed that follow Federal Information Processing Standards (FIPS) 140-2 which is a referred to as a FIPS certified version of a SED device.  

The Trusted Computing Group, an international standards body, created a standard called OPAL which defined, at the hardware level, the algorithms and process for securing DAR using hardware encryption. The storage industry adopted this standard and now sells versions of their storage devices with OPAL circuitry on them. TCG OPAL storage devices have a cryptographic processor built into them and all data stored on an OPAL drive IS encrypted as its written to disk and unencrypted as it is read from disk.

However, a SED device is NOT necessarily safe until you put a password or pin on EACH storage device thereby locking the device.  Laptop and desktop storage devices are referred to as OPAL devices and have a slightly different set of capabilities than enterprise, data center and cloud storage devices which are referred to as Enterprise devices. For desktop and laptops, most operating systems such as Windows, Mac or Linux have software that makes it possible for the user or administrator to add the pin which is entered prior to booting the machine. 

However, for enterprise, data center, and cloud storage its not so easy. No enterprise, data center or cloud administrator is going to manually manage and maintain the pins for dozens, hundreds, or thousands of storage devices. Surprisingly, there has been, until now, no enterprise class set of software – by a US company to control the process of managing and maintaining pins on dozens, hundreds or thousands of storage devices in an enterprise, data center or cloud storage setting. Some of the higher-end storage enclosure makers do provide some limited support in this area but its not consistent and typically not available for low cost enclosures that are the bulk of most enterprise, data center, and cloud storage systems.

FUTURA Cyber’s Crypto Management Platform (FC-CMP) provides the capability to place pins on ALL target storage devices in a typical enclosure attached to a SUSE, Red Hat, Ubuntu, or Centos Linux server. Our solution is run on the command line and when combined with standard enterprise DevOps tools such as Chef, Salt or Puppet can provide the automation to lock and unlock storage. All pins are generated using a standard KMIP Key Management Server (KMS) and FC-CMP tracks each drive and its associated set of pins in a highly redundant and safe fashion. Our software not only locks and unlocks drives but can also cryptographically erase a drive making it unreadable before it is removed from a system for repair, replacement, or destruction. In fact, a TCG Opal or Enterprise FIPS SED that is lost or stolen does not actually qualify as a data spill because it is locked and the data encrypted at AES 256 bits of encryption – making it highly secure.

In its most recent publication on DAR, Nastional Institute of Standards and Technology (NIST) has issued directive 800-175A and 800-175B which require government projects with confidential or classified information to use SED or FIPS SED devices as directed by the Federal Information Security Modernization Act (FISMA) of 2002. Consequently, Government projects must acquire FIPS SED devices which they often do. However, most often they do not actually use the SED or FIPS SED modes of these devices. Acquisition is a check box but NOT real security. FC-CMP offers a low friction and cost-effective means of adopting and enforcing real hardware level DAR security for any TCG OPAL or Enterprise storage device running in most storage enclosures!